Hacked! How it happened , what I did and what you should do

I was recently hacked in a very serious and scary way and am still dealing with it. I got an email from the person that administrates my accounts at one of the major investment banking companies. It was in response to an email that appeared to come from my account but was not sent by me. The email referred to the administrator by her first name and requested that $25,000 be sent “to one of my clients.” The administrator’s reply, which I saw, asked me for the wire information and a signature. While the email looked normal, any one that new me well would have guessed that it was not from me because of the writing style.

I called the admin right away. Incidently, I was not in the USA at the time. I told her that the email was not from me and that I had been clearly hacked. I asked her to report it to the security people at her firm who never bothered to contact me. As we were speaking, a second email came in from the hacker. It has the wire transfer instructions with my signature which they had clearly gotten from another document in my email account. I felt a chill go up my back.

Then I went to work in a very intensive way to change all my passwords, starting with my email accounts. Then I changed my emails on my bank accounts.

I called the officer that handles my regular bank account. She was very sympathetic and said this was happening a lot.

I then called the bank which was suppose to receive the wire transfer. It was a credit union in Tennessee. I spoke to a security person there and gave them all the information. I figured that the hacker might be using this sleepy credit union to accumulate the days haul and then transfer the funds out.

Strangely, I had just been talking with friends who are staying with us about the importance of good computer security. I boasted that I had never been hacked. I explained that I use strong passwords as well as 1password. I use different passwords for different accounts and I am very careful with clicking on links in emails to avoid phishing sites.

So how did this happen to me?

Well, my main email account goes to an ISP and then is forwarded to my iCloud account and a Gmail account. I don’t really use the ISP account. So here is how I think I got into trouble. I used to use a common password on all these sites, like many of you. I forgot that I had used this password on my mail account at the ISP and maybe dozens of other internet sites. Some of these sites could have been easily hacked and my email address and password taken. My email address uses my domain but it is easy to use a DNS look up programs to find out where the domain is hosted. Then it would be very easy to log into my email account to both send and receive emails. I actually think that the hacker did not use my email account to send the the email to the administrator since I could not find a trace of that, but the hacker did read my emails to check for the response from the admin. Once I changed the passwords on my email account, the hacker (who might even be reading this blog post) was cut off unless he/she has some kind of virus on my computer. I did run virus detection and did not find anything.

I should mention that just before I saw the email response from the Admin to the phony email, I got a message that someone tried to change my password on Dropbox. But they did not change it successfully because drop box would have sent an email saying it had been changed. Not sure why this happened.

It could have been worse and it might still be worse

The hacker could have changed the passwords on my email account and I would not have been able to get into my email. This may have actually happened, but the hacker did not really understand that the control panel at my ISP would not have removed the forwarding to my iCloud account. Once you are locked out of your email, you have a very difficult time changing passwords because most sites send you an email with the instructions and a link for changing them. I would have called the ISP and had them change the password so I could get into my account, if I could convince my ISP that I was indeed me.

The hacker had access to all my emails. He probably spent sometime trying to figure out how I bank. Maybe he used a robot to look for emails from financial institutions. But in looking through my emails he could or did learn a great deal about my life. He could see investment reports. He could have realized that I use a voice over IP service and actually gone into that service and had my calls forwarded to his own phone service so he could intercept calls to me.

Once a hacker has control of your email account, they can go about finding sites where you have accounts and resetting the passwords thereby giving them access and locking you out. So sites that only require you to click on a link in an email sent to you are very risky if you ever loose control of your email account.

I don’t know if the hacker copied all my emails and will be doing additional data mining. It is a very frightening thought.

What I learned and what i suggest you do

We are totally dependent on email and, for most of us, we must make our email passwords very secure and never use them for any other purpose. That will limit the ability of a hacker to get into our email. They could still hack the ISP that we use or we could get some malware on our computers. We should always forward our emails to one or more accounts. That way, if the hacker does not realize that we have done that, we can still see emails sent to us and we can reset passwords if we need to. Many sites will send emails if someone tries to change a password so we would at least see that they tried and maybe succeeded.

Some sites now use two step verification such as Google and Dropbox. This relies on something you know, your password and something you have, like your cell phone. I suggest you use this on every site that supports this capability.

Protect your email like it is your life (it might be) by

having a very strong password that you only use for email

have one or more additional email accounts where you forward your email. Gmail is good for this if it is not your main account.

Use a two step verification when ever possible.

Use strong passwords in general and consider using an application like 1password that remembers your passwords on your computer and will generate new passwords for you.

Move sensitive documents out of your email account as soon as you no longer need them.

Make sure that your banks will not do a wire transfer without a verbal confirmation.

Assume that a hacker is reading everything you write and receive. My hacker could have been hanging out in my account for months.

8 thoughts on “Hacked! How it happened , what I did and what you should do”

Great information, thanks. I’m an IT professional and wanted to comment.

“my main email account goes to an ISP and then is forwarded to my iCloud account and a Gmail account. I don’t really use the ISP account. So here is how I think I got into trouble. I used to use a common password on all these sites, like many of you. I forgot that I had used this password on my mail account at the ISP and maybe dozens of other internet sites”

So I’m understanding that the ISP mailbox is the ‘entry point’ for all your inbound mail. The password for that ISP was used for other sites too. The guess is that the password was breached either by internal staff at one of these sites or via an external hacker of one of these sites.

Once the password is known it could have been used to access any number of commonly used ISP mailboxes or other sites that have username=email address (virtually all).

Things to point out:
1. It’s trivial to impersonate someone’s email address. Even a non-hacker can adjust their mail settings such that it ‘appears’ to come from potus@whitehouse.gov . This will be enough to fool most recipients unless they bother to look deeper at mail headers or IP numbers in the message (these can be spoofed too). Not much we can do about that. That doesn’t mean the reply will go back to the hacker UNLESS they used your full name and a slightly different email address (I have seen this cause havoc).

2. Check your mail settings. Many people are still using non-secure methods of the older SMTP / POP standard common to ISPs in the past. Make sure both SMTP and POP are set to use SSL.

3. I would not use an ISP mailbox. Securing your information is just not their main focus. They just want to get people to their mail by whatever means they can and move on. Either choose a mail platform with security as a primary focus (e.g. Microsoft Exchange) or stick with the big names: Google, Microsoft, Apple, etc. The last thing they want is for security problems to make the headlines.

My gmail account was hacked several weeks back – almost identical MO, to include parsing through my 80,000 email, copying all financial emails into my Trash folder (where I would not think of looking), contacting my CPA and asking as a favor to prepare to wire monies (since I was “out of town and unable to arrange the wire”). They had read my email sufficiently well to mimic my style – but not perfectly and to the extent that my CPA called to check on my email request. When I looked closer at my account I saw how emails had been marked, copied, etc. Avram’s list is superb and will save you time vs. the learning process I was obliged to follow. One thing I also did was to click on the “Details” button that logs and reports by IP Address “Recent account activity”. When I did this I quickly identified a Mobile IP address in CA that was repeatedly logging into my email account. Upon receiving the call from my CPA I changed my gmail password – this immediately prevented further log-ins from the “Mobile hacker”. One other great concern I had was the potential that they had been able to find “a password” in my email that would allow them to log into my Carbonite desktop back-up account. Had they done this they would have been able to easily access “all” my files complete with lists of passwords (I have so many that I cannot remember them all). As a final step, I created a “new” gmail account with new password and from this point on will restrict communications with my financial contacts to this new account (which of course would be a treasure-trove to hackers if this was compromised). I intend to keep its password super-secure and different from any others that I use. Bottom line: I (and Avram) might have “dodged a bullet” … nevertheless it is clear that this MO is rampant.

p.s. I should have clarified that the Detail button that I referred to in my comment relates to a “gmail” button that is located at the bottom right of each open email. If others have been accessing your gmail account, you will see them in the log.

Whoa. Thanks for writing that, Avram. Positively scary. And you are by no means the first technically literate person to suffer this. I suspect we all have to assume we’ll be hacked at some time and plan accordingly. I’m definitely due to make some account changes.

Hey! I just wanted to ask if you ever have any trouble with hackers?
My last blog (wordpress) was hacked and I ended up losing a few months of hard work due to no backup.
Do you have any solutions to stop hackers?